The present invention relates to a packet transfer method and apparatus for transferring a packet between a plurality of network segments, and a storage medium which stores a program therefor.
In a conventional packet transfer apparatus connected between a plurality of network segments to transfer a packet between these segments, it is determined, to prevent any illicit access, whether a packet is to be transferred, on the basis of the network address, service number of the destination/transmission source, and the like which are set by the user using a network or another setting means.
The illicit access preventing means in the conventional packet transfer apparatus will be described with reference to FIGS. 1 through 3. FIG. 1 shows the arrangement of the conventional packet transfer apparatus. A packet transfer apparatus 01 has, as its components, a packet receiving section 02 for receiving a packet from a network segment as a transmission source, a packet filter section 03 for controlling to filter (select) the packet received by the packet receiving section 02, a packet sending section 04 for sending the packet that has passed through the packet filter section 03 to another network segment as a sending destination, a rule setting section 05 for setting the network address, service number of the destination/transmission source, or the like to prevent any illicit access, and a rule holding section 06 which holds information such as an address set by the rule setting section 05 and is looked up by the packet filter section 03.
FIG. 2 shows the arrangement of a network system including the packet transfer apparatus 01 having the above arrangement, and FIG. 3 shows contents stored in the rule holding section 06 of the packet transfer apparatus 01.
The user presets, e.g., destination/transmission source network address, service number, and identification information representing whether transmission is to be permitted in the rule holding section 06 using the function of the rule setting section 05.
Assume that a network system as shown in FIG. 2 is built using the packet transfer apparatus 01 having the arrangement shown in FIG. 1, and the user makes the rule holding section 06 hold in advance set contents (rules) as shown in FIG. 3 using the function of the rule setting section 05.
In this state, for example, assume that the packet receiving section 02 receives a packet which requests use of the HTTP service of a host having network address [192.168.0.31] from a host having network address [192.168.1.12].
The received packet is sent to the packet filter section 03.
The packet filter section 03 looks up the rules shown in FIG. 3, which are preset by the user and stored in the rule holding section 06.
The packet filter section 03 looks up the rules shown in FIG. 3, determines that an access from the host having network address [192.168.1.12] to use the HTTP service of the host having network address [192.168.0.31] is permitted, and sends the packet to the packet sending section 04. The packet is transferred from the packet sending section 04 to the host having network address [192.168.0.31], thus completing communication.
Instead, for example, assume that the packet receiving section 02 receives a packet which requests use of the HTTP service of the host having network address [192.168.0.31] from a host having network address [192.168.1.13]. The received packet is sent to the packet filter section 03.
The packet filter section 03 looks up the rules shown in FIG. 3, which are preset by the user and stored in the rule holding section 06.
The packet filter section 03 looks up the rules shown in FIG. 3 and determines that an access from the host having network address [192.168.1.13] to use the HTTP service of the host having network address [192.168.0.31] is inhibited. Hence, this packet is determined as an illicit access by the packet filter section 03 and discarded, so the received packet is not sent from the packet sending section 04.
A packet of another destination/transmission source/service is also sent/discarded in accordance with the contents (rules) in the rule holding section 06 shown in FIG. 3 in the same way as described above.
The illicit access preventing means in the conventional packet transfer apparatus described above cannot prevent an illicit access using an address or service number which is set to transfer the packet only by determining whether the packet is to be transferred on the basis of, e.g., the MAC (Media Access Control) address of the destination/transmission source, the destination/transmission source address or service number of an upper protocol, and is insufficient for the purpose of preventing a packet related to an illicit access from passing.
For example, even when all the destination/transmission source MAC addresses or the destination/transmission source addresses or service numbers of upper protocols are correctly set, a packet having data that is regarded as an illicit access is transferred through (via) the set transmission source, and the data carried by the packet cause an operation error of an application or the like of the receiving-side system, resulting in a problem of reliability.
In addition, the setting of the destination/transmission source MAC address, the destination/transmission source address or service number of an upper protocol, or the like, which is used to determine whether a packet is to be transferred, changes depending on a user or installation place, and setting must be done as a packet transfer apparatus is installed. However, this setting is difficult, so setting errors often occur to allow an illicit access.
Furthermore, a network address such as an IP address is necessary for setting through a network, and this can be an illicit access target.
Even when a packet which is determined not to be transferred in accordance with, e.g., destination/transmission source MAC address, the destination/transmission source address or service number of an upper protocol has arrived, it is not always an illicit access. Hence, even when it is by some way that a packet that is determined not to be transferred has arrived, it does not indicate that an illicit access is being made.
As described above, the illicit access preventing means in the conventional packet transfer apparatus cannot prevent an illicit access using an address or service number which is set to transfer the packet only by determining whether the packet is to be transferred on the basis of, e.g., the MAC address of the destination/transmission source, the destination/transmission source address or service number of an upper protocol, and is insufficient for the purpose of preventing a packet related to an illicit access from passing.
In addition, the setting of the destination/transmission source MAC address, the destination/transmission source address, service number of an upper protocol, or the like, which is used to determine whether a packet is to be transferred, changes depending on a user or installation place, and setting must be done as a packet transfer apparatus is installed. However, this setting is difficult, so setting errors often occur to allow an illicit access.
Furthermore, a network address such as an IP address is necessary for setting through a network, and this can be an illicit access target.
Even when a packet which is determined not to be transferred in accordance with, e.g., destination/transmission source MAC address, the destination/transmission source address or service number of an upper protocol has arrived, it is not always an illicit access. Hence, even when it is by some way that a packet that is determined not to be transferred has arrived, it does not indicate that an illicit access is being made.
As described above, the conventional packet transfer apparatus has various problems of reliability related to illicit access prevention and large operation load on the user.